Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a8541f866cac72ada61072660e9ca678c6295e94
https://github.com/WebKit/WebKit/commit/a8541f866cac72ada61072660e9ca678c6295e94
Author: Adrian Taylor <[email protected]>
Date: 2026-07-15 (Wed, 15 Jul 2026)
Changed paths:
M Source/WTF/WTF.xcodeproj/project.pbxproj
A Source/WTF/wtf/BorrowedBytes.h
M Source/WTF/wtf/CMakeLists.txt
M Source/WTF/wtf/module.modulemap
M Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj
M Source/WebCore/PAL/pal/CMakeLists.txt
M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESGCMCocoa.cpp
M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESKWCocoaBridging.cpp
M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmEd25519CocoaBridging.cpp
M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHKDFCocoaBridging.cpp
M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHMACCocoaBridging.cpp
M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmX25519CocoaBridging.cpp
M Source/WebCore/PAL/pal/crypto/CryptoEDKeyBridging.cpp
R Source/WebCore/PAL/pal/crypto/CryptoKit+UnsafeOverlays.swift
M Source/WebCore/PAL/pal/crypto/CryptoKitShim.swift
M Source/WebCore/PAL/pal/crypto/CryptoTypes.h
R Source/WebCore/PAL/pal/crypto/CryptoTypes.swift
M Source/WebCore/PAL/pal/crypto/PlatformECKey.cpp
A Source/WebCore/PAL/pal/crypto/WTFExtras.swift
M Source/WebCore/PAL/pal/crypto/commoncrypto/CryptoDigestCommonCrypto.cpp
M Tools/TestWebKitAPI/CMakeLists.txt
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WTF/BorrowedBytes.cpp
Log Message:
-----------
[Swift] Add BorrowedBytes and use from PAL
https://bugs.webkit.org/show_bug.cgi?id=318675
rdar://164560176
Reviewed by Ryosuke Niwa.
PAL has some code to interface with platform Swift crypto APIs marked with a
crucial FIXME showing that a large number of 'unsafe' statements need to be
removed. Those statements genuinely show a risk that present or future mistakes
in Swift or C++ code could have resulted in exploitable memory safety bugs.
This change adds suitable new primitives to allow buffers of bytes to be passed
safely across the C++/Swift boundary. It aims to do this with no extra
copying beyond the pre-existing state, so it should be performance-neutral.
This change adheres to the principle that we may need carefully human-reviewed
`unsafe` statements within WTF, in order to allow higher layers of the stack
to be entirely free of `unsafe`.
Specifically, we:
- introduce a Swift initializer for WTF::Vector<uint8_t> which can
construct such a vector from any Swift ContiguousBytes
- introduce a BorrowedBytes type which is a borrow of some C++ bytes
and in Swift complies with ContiguousBytes, thus can be passed to
the crypto APIs as-is. This new type achieves memory safety by
communicating with a couple of different BorrowScope types in C++ which
mark the allowable lifetime of the use of the bytes. If the
borrow scope is destroyed while Swift may still want to use the bytes,
a clean runtime crash will occur rather than an exploitable bug.
- adapt PAL to use these, removing all 'unsafe' statements from PAL's
Swift code.
- add a test for BorrowedBytes.
If the bytes are being borrowed from a Vector, this mechanism interacts
with the existing CanBorrow mechanism, so this should guard against
reallocations or resizes of the vector as well as destruction of the
vector overall. This result required an additional change to WTF::Vector,
raised as https://github.com/WebKit/WebKit/pull/68737.
At present, WTF cannot support Swift, for reasons explained in the following
bugs. The WTF Swift code is therefore temporarily alongside the crypto
code in PAL in a file called WTFExtras.swift.
https://bugs.webkit.org/show_bug.cgi?id=315629
rdar://178003865
Test: Tools/TestWebKitAPI/Tests/WTF/BorrowedBytes.cpp
* Source/WTF/WTF.xcodeproj/project.pbxproj:
* Source/WTF/wtf/BorrowedBytes.h: Added.
(WTF::BorrowedBytes::size const):
(WTF::BorrowedBytes::ref const):
(WTF::BorrowedBytes::deref const):
(WTF::BorrowedBytes::create):
(WTF::BorrowedBytes::BorrowedBytes):
(WTF::BorrowedBytes::revoke):
(WTF::BorrowedBytesScopeBase::BorrowedBytesScopeBase):
(WTF::BorrowedBytesScopeBase::~BorrowedBytesScopeBase):
* Source/WTF/wtf/CMakeLists.txt:
* Source/WTF/wtf/module.modulemap:
* Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj:
* Source/WebCore/PAL/pal/CMakeLists.txt:
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESGCMCocoa.cpp:
(PAL::Crypto::encryptCryptoKitAESGCM):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESKWCocoaBridging.cpp:
(PAL::Crypto::wrapKeyAESKWCryptoKit):
(PAL::Crypto::unwrapKeyAESKWCryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmEd25519CocoaBridging.cpp:
(PAL::Crypto::signEd25519CryptoKit):
(PAL::Crypto::verifyEd25519CryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHKDFCocoaBridging.cpp:
(PAL::Crypto::deriveBitsHKDFCryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHMACCocoaBridging.cpp:
(PAL::Crypto::signHMACCryptoKit):
(PAL::Crypto::verifyHMACCryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmX25519CocoaBridging.cpp:
(PAL::Crypto::deriveBitsX25519CryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoEDKeyBridging.cpp:
(PAL::Crypto::EdKey::privateToPublic):
(PAL::Crypto::EdKey::privateToPublicKeyAgreement):
(PAL::Crypto::EdKey::validateKeyPair):
(PAL::Crypto::EdKey::validateKeyPairKeyAgreement):
* Source/WebCore/PAL/pal/crypto/CryptoKit+UnsafeOverlays.swift: Removed.
* Source/WebCore/PAL/pal/crypto/CryptoKitShim.swift:
(Digest.update(_:)):
(Digest.finalize):
(Digest.sha1(_:)):
(Digest.sha256(_:)):
(Digest.sha384(_:)):
(Digest.sha512(_:)):
(ECKey.importX963Pub(_:curve:)):
(ECKey.exportX963Pub):
(ECKey.importCompressedPub(_:curve:)):
(ECKey.importX963Private(_:curve:)):
(ECKey.exportX963Private):
(ECKey.deriveBits(_:)):
(EdKey.generatePrivateKey(_:)):
(EdKey.generatePrivateKeyKeyAgreement(_:)):
(WTF.requireNonEmpty):
(Curve25519.signature(_:)):
(Curve25519.isValidSignature(_:data:)):
(Curve25519.sharedSecretFromKeyAgreement(_:)):
* Source/WebCore/PAL/pal/crypto/CryptoTypes.h:
* Source/WebCore/PAL/pal/crypto/CryptoTypes.swift: Removed.
* Source/WebCore/PAL/pal/crypto/PlatformECKey.cpp:
(PAL::Crypto::PlatformECKey::sign const):
(PAL::Crypto::PlatformECKey::doVerify const):
(PAL::Crypto::PlatformECKey::importX963Pub):
(PAL::Crypto::PlatformECKey::importX963Private):
(PAL::Crypto::PlatformECKey::importCompressedPub):
* Source/WebCore/PAL/pal/crypto/WTFExtras.swift: Added.
(WTF.startIndex):
(WTF.endIndex):
(WTF.regions):
(NonNullBytes.placeholder):
(NonNullBytes.regions):
(NonNullBytes.startIndex):
(NonNullBytes.endIndex):
(WTF.asNonNullBytes):
(makeVectorUInt8(copying:)):
* Source/WebCore/PAL/pal/crypto/commoncrypto/CryptoDigestCommonCrypto.cpp:
(PAL::Crypto::CryptoDigest::addBytes):
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WTF/BorrowedBytes.cpp: Added.
(TestWebKitAPI::TEST(WTF_BorrowedBytes, SpanScopeExposesBytes)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, SpanScopeOverSubspan)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, VectorScopeExposesBytes)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, EmptySpan)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, EmptyVector)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, ScopeHoldsSoleReference)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, NestedVectorScopes)):
(TestWebKitAPI::TEST(WTF_BorrowedBytesDeathTest,
MAYBE_ASSERT_ENABLED_DEATH_TEST(StashedViewCrashesAtScopeEnd)):
Canonical link: https://commits.webkit.org/317262@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications